Merge tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull compiler-based variable initialization updates from Kees Cook:
 "This is effectively part of my gcc-plugins tree, but as this adds some
  Clang support, it felt weird to still call it "gcc-plugins". :)

  This consolidates Kconfig for the existing stack variable
  initialization (via structleak and stackleak gcc plugins) and adds
  Alexander Potapenko's support for Clang's new similar functionality.

  Summary:

   - Consolidate memory initialization Kconfigs (Kees)

   - Implement support for Clang's stack variable auto-init (Alexander)"

* tag 'meminit-v5.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  security: Implement Clang's stack initialization
  security: Move stackleak config to Kconfig.hardening
  security: Create "kernel hardening" config area

1 files changed, 6 insertions, 120 deletions

diff --git a/scripts/gcc-plugins/Kconfig b/scripts/gcc-plugins/Kconfig
index 74271dba4f94..80220ed26a35 100644
--- a/scripts/gcc-plugins/Kconfig
+++ b/scripts/gcc-plugins/Kconfig
@@ -13,17 +13,19 @@ config HAVE_GCC_PLUGINS
           An arch should select this symbol if it supports building with
           GCC plugins.
 
-menuconfig GCC_PLUGINS
-        bool "GCC plugins"
+config GCC_PLUGINS
+        bool
         depends on HAVE_GCC_PLUGINS
         depends on PLUGIN_HOSTCC != ""
+        default y
         help
           GCC plugins are loadable modules that provide extra features to the
           compiler. They are useful for runtime instrumentation and static analysis.
 
           See Documentation/gcc-plugins.txt for details.
 
-if GCC_PLUGINS
+menu "GCC plugins"
+        depends on GCC_PLUGINS
 
 config GCC_PLUGIN_CYC_COMPLEXITY
         bool "Compute the cyclomatic complexity of a function" if EXPERT
@@ -66,71 +68,6 @@ config GCC_PLUGIN_LATENT_ENTROPY
            * https://grsecurity.net/
            * https://pax.grsecurity.net/
 
-config GCC_PLUGIN_STRUCTLEAK
-        bool "Zero initialize stack variables"
-        help
-          While the kernel is built with warnings enabled for any missed
-          stack variable initializations, this warning is silenced for
-          anything passed by reference to another function, under the
-          occasionally misguided assumption that the function will do
-          the initialization. As this regularly leads to exploitable
-          flaws, this plugin is available to identify and zero-initialize
-          such variables, depending on the chosen level of coverage.
-
-          This plugin was originally ported from grsecurity/PaX. More
-          information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-
-choice
-        prompt "Coverage"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-        help
-          This chooses the level of coverage over classes of potentially
-          uninitialized variables. The selected class will be
-          zero-initialized before use.
-
-        config GCC_PLUGIN_STRUCTLEAK_USER
-                bool "structs marked for userspace"
-                help
-                  Zero-initialize any structures on the stack containing
-                  a __user attribute. This can prevent some classes of
-                  uninitialized stack variable exploits and information
-                  exposures, like CVE-2013-2141:
-                  https://git.kernel.org/linus/b9e146d8eb3b9eca
-
-        config GCC_PLUGIN_STRUCTLEAK_BYREF
-                bool "structs passed by reference"
-                help
-                  Zero-initialize any structures on the stack that may
-                  be passed by reference and had not already been
-                  explicitly initialized. This can prevent most classes
-                  of uninitialized stack variable exploits and information
-                  exposures, like CVE-2017-1000410:
-                  https://git.kernel.org/linus/06e7e776ca4d3654
-
-        config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
-                bool "anything passed by reference"
-                help
-                  Zero-initialize any stack variables that may be passed
-                  by reference and had not already been explicitly
-                  initialized. This is intended to eliminate all classes
-                  of uninitialized stack variable exploits and information
-                  exposures.
-
-endchoice
-
-config GCC_PLUGIN_STRUCTLEAK_VERBOSE
-        bool "Report forcefully initialized variables"
-        depends on GCC_PLUGIN_STRUCTLEAK
-        depends on !COMPILE_TEST        # too noisy
-        help
-          This option will cause a warning to be printed each time the
-          structleak plugin finds a variable it thinks needs to be
-          initialized. Since not all existing initializers are detected
-          by the plugin, this can produce false positive warnings.
-
 config GCC_PLUGIN_RANDSTRUCT
         bool "Randomize layout of sensitive kernel structures"
         select MODVERSIONS if MODULES
@@ -171,59 +108,8 @@ config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE
           in structures.  This reduces the performance hit of RANDSTRUCT
           at the cost of weakened randomization.
 
-config GCC_PLUGIN_STACKLEAK
-        bool "Erase the kernel stack before returning from syscalls"
-        depends on GCC_PLUGINS
-        depends on HAVE_ARCH_STACKLEAK
-        help
-          This option makes the kernel erase the kernel stack before
-          returning from system calls. That reduces the information which
-          kernel stack leak bugs can reveal and blocks some uninitialized
-          stack variable attacks.
-
-          The tradeoff is the performance impact: on a single CPU system kernel
-          compilation sees a 1% slowdown, other systems and workloads may vary
-          and you are advised to test this feature on your expected workload
-          before deploying it.
-
-          This plugin was ported from grsecurity/PaX. More information at:
-           * https://grsecurity.net/
-           * https://pax.grsecurity.net/
-
-config STACKLEAK_TRACK_MIN_SIZE
-        int "Minimum stack frame size of functions tracked by STACKLEAK"
-        default 100
-        range 0 4096
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          The STACKLEAK gcc plugin instruments the kernel code for tracking
-          the lowest border of the kernel stack (and for some other purposes).
-          It inserts the stackleak_track_stack() call for the functions with
-          a stack frame size greater than or equal to this parameter.
-          If unsure, leave the default value 100.
-
-config STACKLEAK_METRICS
-        bool "Show STACKLEAK metrics in the /proc file system"
-        depends on GCC_PLUGIN_STACKLEAK
-        depends on PROC_FS
-        help
-          If this is set, STACKLEAK metrics for every task are available in
-          the /proc file system. In particular, /proc/<pid>/stack_depth
-          shows the maximum kernel stack consumption for the current and
-          previous syscalls. Although this information is not precise, it
-          can be useful for estimating the STACKLEAK performance impact for
-          your workloads.
-
-config STACKLEAK_RUNTIME_DISABLE
-        bool "Allow runtime disabling of kernel stack erasing"
-        depends on GCC_PLUGIN_STACKLEAK
-        help
-          This option provides 'stack_erasing' sysctl, which can be used in
-          runtime to control kernel stack erasing for kernels built with
-          CONFIG_GCC_PLUGIN_STACKLEAK.
-
 config GCC_PLUGIN_ARM_SSP_PER_TASK
         bool
         depends on GCC_PLUGINS && ARM
 
-endif
+endmenu